Fintech Firms Suffer a Data Violation Due to a Critical Zoho Flaw

When a cyberattack occurs on a platform offering services to the fintech business, the data of its end users is compromised. The hackers probably broke in via a hole in the Zoho ManageEngine software.

According to CISA, an Indian firm used ManageEngine software and has a significant remote code execution (RCE) vulnerability that is exploited in the wild.

On June 24th, Zoho released a fix for an issue that has a CVSS score of 9.8.

Attackers might use this flaw in Password Manager Pro, PAM360, and Access Manager Plus to run arbitrary code on vulnerable systems. Password Manager Pro and PAM360 products are vulnerable since “authentication is not necessary to exploit this issue,” Zoho noted in June, advising customers to update immediately.

At least 80 million people across the globe use Zoho’s services. This number includes several Fortune 500 firms such as Netflix, Amazon, Fortinet, Facebook, KPMG, Renault, HP, and Tesla.

Due to “active exploitation evidence,” CISA has issued a warning. Cybernews’s research team identified one incident in which malicious actors had likely used the vulnerability to get into a target company.

The Hack

A threat actor breached the BankingLab, a SaaS banking platform for fintech firms, which is now offering unfettered access to the servers and consumers of its clients. BankingLab reportedly used ManageEngine for its network security.

On September 24, a new member on a famous hacker site said, “Recently, we got all server rights of BankingLab and collected all client data. It includes the transaction flow of each customer’s user and identification information.” The SSH key for internal services and other system and server passwords are stored in the PAM360 password management system. I will now provide you access to along with its master key. We ask that you have pleasure in this.

Financial technology firms may rely on BankingLab for a “complete stack of digital banking services,” which includes tools for managing client accounts, processing payments, issuing cards, and dispensing loans and deposits. Vialet, Simplex, Bankera, and Perlas Finance are just a few of its satisfied customers.

From “enterprise concepts to successful licensed financial institutions,” the firm says it can “guide you” with its technology.

Baltic Amber Solutions (BAS), located in Vilnius, Lithuania, is the owner of the BankingLab brand. In 2021, BAS co-founder and CEO Narimantas Bloznelis told a local news source, “We aim to establish a platform answering to all fintech solution demands, and to become a financial services Amazon.”

Investigation of CyberNews

The CyberNews investigation team determined that the threat actor provided a SQL database dump. The master key for the PAM360 password management system hosted on bankinglab.com. “Structured Query Language,” is a language used in programming and data management. Hackers also use this as a backdoor.

PAM (Privileged Access Management) is an enterprise-level password management, authentication, and access control system. BankingLab is finding out to use PAM360 by Zoho ManageEngine, according to our internal research.

Mantas Sasnauskas, head of the CyberNews team said,

“A threat actor or actors demonstrating that they were able to acquire access to the database might have taken over all of the customers’ accounts. They even made their own account to further pivot and wreak havoc on consumers’ credentials.

The threat actor released a 108 Gigabyte (GB) database, which comprises a PostgreSQL dump with a large amount of log data. It also includes other sensitive information, such as email account settings, all user email settings, agent installation and mobile authorization keys, and other sensitive logs.

According to Sasnauskas, “the potential impact could be immense and depends on BankingLab’s response: whether they saw the breach in time, how long threat actors had access to their systems, and whether they have gained access to customer systems as this opens ways for a possible supply-chain attack.”

Feedback

All cyberattacks are more sophisticated. They are not limited to a single susceptible item. The scope and sophistication of the cyberattack were both high. Bloznelis told CyberNews after verifying the hack, “It is apparent that threat actors have been planning for it for a long time and in numerous methods.”

Bloznelis said that he had notified all impacted customers but did not want to discuss the incident further while the inquiry was ongoing. In addition, BankingLab notified the Lithuanian State Data Protection Inspectorate of the breach.

CyberNews has contacted Lithuanian Bank, the government agency responsible for monitoring the concerned fintech firms. It also includes the State Data Protection Inspectorate, and I will update the story once they respond. It also made contact with impacted businesses that seemed to be aware of the security incident.

Customer funds are completely secure. “There’s no need to do anything at this time.” Bloznelis warned that consumers must be on their guard at all times because of the prevalence of hackers in today’s world. Hackers use social engineering and other techniques to get access to users’ accounts and sensitive data.

Last Friday, the event was reported to the Lithuanian Bank. It informed CyberNews that, “to the best of our knowledge,” clients’ funds were secure. The impacted institutions had either resumed normal operations or would do so soon.

The incident was reported to law enforcement and the National Cybersecurity Center.

One of BankingLab’s clients, ConnectPay, has assured its users that their login credentials and identifiers were safe throughout the event. Although “all probable ramifications of the occurrence” were not dismissed until the completion of the inquiry.

It is widely reported that cyberattacks on financial technology are increased. Only last week, another online bank was the target of a hack that exposed some customers’ personal information. ConnectPay has boosted data security and improved cybersecurity in response to the information war. It also increases the number of attacks since the Russian invasion of Ukraine. It plans to continue improving its cybersecurity in the next few years.